search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
7.15k stars 1.12k forks source link

Warnings when scanning terraform code with dynamic blocks with 3.2.303+ #6861

Open tberreis opened 1 day ago

tberreis commented 1 day ago

Describe the issue We are using dynamic blocks in our terraform code and while scanning with checkov 3.2.302 ran successfully, 3.2.303 throws lots of warnings with "Failed updating attribute for key ... Falling back to explicitly setting it.Exception - Parse error at 1:12 near token rule (ID)" as shown in line three of the example below.

This seems to be related to the PR https://github.com/bridgecrewio/checkov/pull/6852.

All in all the scan result is the same but I don't know whether these warnings are expected here or a code change is needed. Feel free to close this issue.

Examples Terraform code snippet:

  dynamic "immutability_policy" {
    for_each = var.immutability.enabled ? [1] : []

    content {
      state                         = var.immutability.storage_account_policy.state
      allow_protected_append_writes = var.immutability.storage_account_policy.allow_protected_append_writes
      period_since_creation_in_days = var.immutability.storage_account_policy.period_since_creation_in_days
    }
  }

Scan result with 3.2.302:

# docker run -v $PWD:/data --rm -it docker.io/bridgecrew/checkov:3.2.302 -d /data --quiet --compact
2024-11-21 08:04:44,540 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-11-21 08:04:44,541 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
terraform scan results:

Passed checks: 7, Failed checks: 2, Skipped checks: 10

Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
        FAILED for resource: azurerm_storage_account.this
        File: /main.tf:12-95
        Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
        FAILED for resource: azurerm_storage_account.this
        File: /main.tf:12-95
        Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/azr-general-206

Scan result with 3.2.303:

# docker run -v $PWD:/data --rm -it docker.io/bridgecrew/checkov:3.2.303 -d /data --quiet --compact
2024-11-21 08:07:24,064 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-11-21 08:07:24,064 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
2024-11-21 08:07:24,345 [MainThread  ] [WARNI]  Failed updating attribute for key: dynamic.1.rule and value {'for_each': '{for key , value in {} : key :> value.delete_blob_after_days if value.delete_blob_after_days > 0}'} forvertex attributes {'__end_line__': 158, '__start_line__': 97, 'count': ['${local.storage_management_policy_required ? 1 : 0}'], 'dynamic': [{'rule': {'content': {'actions': {'base_blob': {'delete_after_days_since_modification_greater_than': 30}}, 'enabled': True, 'filters': {'blob_types': ['appendBlob'], 'prefix_match': ['insights-logs-']}, 'name': 'insights-logs-rule'}, 'for_each': '${var.automatically_delete_aks_insights_logs ? [1] : []}'}}, {'rule': {'content': {'actions': {'base_blob': {'delete_after_days_since_modification_greater_than': '${rule.value}'}}, 'enabled': True, 'filters': {'blob_types': ['appendBlob', 'blockBlob'], 'prefix_match': ['${rule.key}/']}, 'name': '${rule.key}-rule'}, 'for_each': '{for key , value in {} : key :> value.delete_blob_after_days if value.delete_blob_after_days > 0}'}}, {'rule': {'content': {'actions': {'version': {'delete_after_days_since_creation': '${var.blob_versioning.lifecycle_policy.delete_version_after_days}'}}, 'enabled': '${var.blob_versioning.enabled}', 'filters': {'blob_types': ['appendBlob', 'blockBlob']}, 'name': 'delete-previous-versions-rule'}, 'for_each': '${var.blob_versioning.enabled && var.blob_versioning.lifecycle_policy.enabled ? [1] : []}'}}], 'storage_account_id': ['${azurerm_storage_account.this.id}'], 'rule': [{'actions': [{'base_blob': [{'delete_after_days_since_modification_greater_than': [30]}]}], 'enabled': [True], 'filters': [{'blob_types': [['appendBlob']], 'prefix_match': [['insights-logs-']]}], 'name': ['insights-logs-rule']}, {'actions': [{'base_blob': [{'delete_after_days_since_modification_greater_than': ['${rule.value}']}]}], 'enabled': [True], 'filters': [{'blob_types': [['appendBlob', 'blockBlob']], 'prefix_match': [['${rule.key}/']]}], 'name': ['${rule.key}-rule']}, {'actions': [{'version': [{'delete_after_days_since_creation': ['${var.blob_versioning.lifecycle_policy.delete_version_after_days}']}]}], 'enabled': ['${var.blob_versioning.enabled}'], 'filters': [{'blob_types': [['appendBlob', 'blockBlob']]}], 'name': ['delete-previous-versions-rule']}], 'resource_type': ['azurerm_storage_management_policy'], 'dynamic.0': {'rule': {'content': {'actions': {'base_blob': {'delete_after_days_since_modification_greater_than': 30}}, 'enabled': True, 'filters': {'blob_types': ['appendBlob'], 'prefix_match': ['insights-logs-']}, 'name': 'insights-logs-rule'}, 'for_each': '${var.automatically_delete_aks_insights_logs ? [1] : []}'}}, 'dynamic.0.rule': {'content': {'actions': {'base_blob': {'delete_after_days_since_modification_greater_than': 30}}, 'enabled': True, 'filters': {'blob_types': ['appendBlob'], 'prefix_match': ['insights-logs-']}, 'name': 'insights-logs-rule'}, 'for_each': '${var.automatically_delete_aks_insights_logs ? [1] : []}'}, 'dynamic.0.rule.content': {'actions': {'base_blob': {'delete_after_days_since_modification_greater_than': 30}}, 'enabled': True, 'filters': {'blob_types': ['appendBlob'], 'prefix_match': ['insights-logs-']}, 'name': 'insights-logs-rule'}, 'dynamic.0.rule.content.actions': {'base_blob': {'delete_after_days_since_modification_greater_than': 30}}, 'dynamic.0.rule.content.actions.base_blob': {'delete_after_days_since_modification_greater_than': 30}, 'dynamic.0.rule.content.actions.base_blob.delete_after_days_since_modification_greater_than': 30, 'dynamic.0.rule.content.enabled': True, 'dynamic.0.rule.content.filters': {'blob_types': ['appendBlob'], 'prefix_match': ['insights-logs-']}, 'dynamic.0.rule.content.filters.blob_types': ['appendBlob'], 'dynamic.0.rule.content.filters.blob_types.0': 'appendBlob', 'dynamic.0.rule.content.filters.prefix_match': ['insights-logs-'], 'dynamic.0.rule.content.filters.prefix_match.0': 'insights-logs-', 'dynamic.0.rule.content.name': 'insights-logs-rule', 'dynamic.0.rule.for_each': '${var.automatically_delete_aks_insights_logs ? [1] : []}', 'dynamic.1': {'rule': {'content': {'actions': {'base_blob': {'delete_after_days_since_modification_greater_than': '${rule.value}'}}, 'enabled': True, 'filters': {'blob_types': ['appendBlob', 'blockBlob'], 'prefix_match': ['${rule.key}/']}, 'name': '${rule.key}-rule'}, 'for_each': '{for key , value in {} : key :> value.delete_blob_after_days if value.delete_blob_after_days > 0}'}}, 'dynamic.1.rule': {'content': {'actions': {'base_blob': {'delete_after_days_since_modification_greater_than': '${rule.value}'}}, 'enabled': True, 'filters': {'blob_types': ['appendBlob', 'blockBlob'], 'prefix_match': ['${rule.key}/']}, 'name': '${rule.key}-rule'}, 'for_each': '{for key , value in {} : key :> value.delete_blob_after_days if value.delete_blob_after_days > 0}'}, 'dynamic.1.rule.content': {'actions': {'base_blob': {'delete_after_days_since_modification_greater_than': '${rule.value}'}}, 'enabled': True, 'filters': {'blob_types': ['appendBlob', 'blockBlob'], 'prefix_match': ['${rule.key}/']}, 'name': '${rule.key}-rule'}, 'dynamic.1.rule.content.actions': {'base_blob': {'delete_after_days_since_modification_greater_than': '${rule.value}'}}, 'dynamic.1.rule.content.actions.base_blob': {'delete_after_days_since_modification_greater_than': '${rule.value}'}, 'dynamic.1.rule.content.actions.base_blob.delete_after_days_since_modification_greater_than': '${rule.value}', 'dynamic.1.rule.content.enabled': True, 'dynamic.1.rule.content.filters': {'blob_types': ['appendBlob', 'blockBlob'], 'prefix_match': ['${rule.key}/']}, 'dynamic.1.rule.content.filters.blob_types': ['appendBlob', 'blockBlob'], 'dynamic.1.rule.content.filters.blob_types.0': 'appendBlob', 'dynamic.1.rule.content.filters.blob_types.1': 'blockBlob', 'dynamic.1.rule.content.filters.prefix_match': ['${rule.key}/'], 'dynamic.1.rule.content.filters.prefix_match.0': '${rule.key}/', 'dynamic.1.rule.content.name': '${rule.key}-rule', 'dynamic.1.rule.for_each': '{for key , value in {} : key :> value.delete_blob_after_days if value.delete_blob_after_days > 0}', 'dynamic.2': {'rule': {'content': {'actions': {'version': {'delete_after_days_since_creation': '${var.blob_versioning.lifecycle_policy.delete_version_after_days}'}}, 'enabled': '${var.blob_versioning.enabled}', 'filters': {'blob_types': ['appendBlob', 'blockBlob']}, 'name': 'delete-previous-versions-rule'}, 'for_each': '${var.blob_versioning.enabled && var.blob_versioning.lifecycle_policy.enabled ? [1] : []}'}}, 'dynamic.2.rule': {'content': {'actions': {'version': {'delete_after_days_since_creation': '${var.blob_versioning.lifecycle_policy.delete_version_after_days}'}}, 'enabled': '${var.blob_versioning.enabled}', 'filters': {'blob_types': ['appendBlob', 'blockBlob']}, 'name': 'delete-previous-versions-rule'}, 'for_each': '${var.blob_versioning.enabled && var.blob_versioning.lifecycle_policy.enabled ? [1] : []}'}, 'dynamic.2.rule.content': {'actions': {'version': {'delete_after_days_since_creation': '${var.blob_versioning.lifecycle_policy.delete_version_after_days}'}}, 'enabled': '${var.blob_versioning.enabled}', 'filters': {'blob_types': ['appendBlob', 'blockBlob']}, 'name': 'delete-previous-versions-rule'}, 'dynamic.2.rule.content.actions': {'version': {'delete_after_days_since_creation': '${var.blob_versioning.lifecycle_policy.delete_version_after_days}'}}, 'dynamic.2.rule.content.actions.version': {'delete_after_days_since_creation': '${var.blob_versioning.lifecycle_policy.delete_version_after_days}'}, 'dynamic.2.rule.content.actions.version.delete_after_days_since_creation': '${var.blob_versioning.lifecycle_policy.delete_version_after_days}', 'dynamic.2.rule.content.enabled': '${var.blob_versioning.enabled}', 'dynamic.2.rule.content.filters': {'blob_types': ['appendBlob', 'blockBlob']}, 'dynamic.2.rule.content.filters.blob_types': ['appendBlob', 'blockBlob'], 'dynamic.2.rule.content.filters.blob_types.0': 'appendBlob', 'dynamic.2.rule.content.filters.blob_types.1': 'blockBlob', 'dynamic.2.rule.content.name': 'delete-previous-versions-rule', 'dynamic.2.rule.for_each': '${var.blob_versioning.enabled && var.blob_versioning.lifecycle_policy.enabled ? [1] : []}'}. Falling back to explicitly setting it.Exception - Parse error at 1:12 near token rule (ID)

[...]

terraform scan results:

Passed checks: 7, Failed checks: 2, Skipped checks: 10

Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
        FAILED for resource: azurerm_storage_account.this
        File: /main.tf:12-95
        Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
        FAILED for resource: azurerm_storage_account.this
        File: /main.tf:12-95
        Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/azr-general-206

Version (please complete the following information):

Additional context https://github.com/bridgecrewio/checkov/pull/6852

andresionek91 commented 1 day ago

I think this relates to https://github.com/bridgecrewio/checkov/issues/6855